2. Corporate Headquarters:
PA Consulting Group
123 Buckingham Palace Road
London SW1W 9SR
UK
Tel: +44 20 7730 9000
Fax: +44 20 7333 5050
www.paconsulting.com Version no:
STRICTLY CONFIDENTIAL BETWEEN PA CONSULTING SERVICES LIMITED AND THE FCA
1.0
3. CONTENTS
1. EXECUTIVE SUMMARY 1
2. THE DESIGN OF THE FLEXIBLE SUPERVISORY FRAMEWORK 4
3. GOVERNANCE, COLLABORATION AND WAYS OF WORKING 17
4. DATA AND MARKET INTELLIGENCE 25
5. RISK IDENTIFICATION AND MANAGEMENT 39
APPENDICES 46
Appendix 1 – Approach 46
Appendix 2 – Interviewees 47
Appendix 3 – Level 1 Strategy & Operational Planning process 50
Appendix 4 – Level 2 Crystallised Risk process 52
Appendix 5 – Data Sources 54
Appendix 6 – Retail Lending Sector Strategy SIPOC and process 55
STRICTLY CONFIDENTIAL BETWEEN PA CONSULTING SERVICES LIMITED AND THE FCA
4.
5. 1. EXECUTIVE SUMMARY
The FCA’s approach to flexible firm supervision was implemented in 2015, partially in response to the
inclusion of consumer credit firms which led to a significant increase in supervisory responsibilities, as
well as a range of new functions that Parliament had asked the FCA to take on*. By working in this way,
the FCA aims to supervise firms and markets more flexibly and better allocate resources to those firms
presenting the greatest risk to consumers and to the financial system in general.
To do this, the firms under the FCA’s remit have been split into “fixed” and “flexible” populations, with
those fixed retaining one-to-one, proactive supervision while those in the flexible portfolio are overseen
by the monitoring of market based risks and crystallised risk events.
Supporting this framework are “House Views” and sector strategies. The House Views, introduced in
2015 as a “baseline view” are intended to represent the collated views of all relevant FCA departments
on the priorities for each sector based on a wide collection of data sources and opinions. Each House
View should set the priorities that form the basis for the FCA – including Supervision – for each sector
and for both fixed and flexible firms, as well as informing the risk prioritisation and mitigation across
Supervision.
The revised approach aims to enable the FCA to supervise firms and markets in a more flexible way
and be better equipped to distribute resources to firms and issues presenting the most substantial risks.
The updated supervision model explicitly aims to put decision making as close to the frontline as
possible. This includes the responsibility for defining and monitoring risk appetites, creating plans to
deliver against that appetite and the mitigation of key risks within sectors. The accountability for these
processes lies with the Sector Director or Sector HoD.
Nearly six months on from the implementation of this approach, the FCA has engaged PA to assess its
effectiveness in practice. While some parts of the approach are still being embedded across
Supervision, this assessment looks at how the Supervision risk and management framework supports
the new approach to flexible firms and where further development may be necessary in order to make
it fully effective, focussing on the flexible population.
In summary the review identified that some of the key objectives of the flexible firm strategy have not
been fully achieved to date. One of the aims of the framework was to provide flexibility to sectors. While
the aim of providing flexibility has been achieved, there remain a number of issues and opportunities
for improvement. Sectors recognise the need for balance between the level of autonomy and the
consistency that can be provided through a more structured approach to the planning process. Further
clarity on the expected outputs from the planning process will aid the production of sector plans that
can be compared and contrasted across sectors. In addition, the current governance frameworks within
and across sectors are informal and generally unstructured. Our specific finding related to application
of the flexible framework and governance can be summarised under two broad areas:
The lack of a standard set of definitions and expectations has led to an inconsistent application
of the flexible supervisory framework across the organisation. The flexible firm supervision
strategy has allowed the sectors considerable flexibility in how it is implemented in each area. However,
a standard set of expectations and definitions of sector “strategies” and “plans” have not been provided.
Consequently, there is at times a lack of understanding about the direction, responsibilities and
* As stated in the FCA’s “Our Strategy” document of 2014, Parliament had asked the FCA to take on a whole range of new functions,
concurrent competition powers and the new Payments Systems Regulator – an ever increasing waterfront to police – which meant the FCA
had to be smart about how it made best use of its resources
1
STRICTLY CONFIDENTIAL BETWEEN PA CONSULTING SERVICES LIMITED AND THE FCA
6. processes in each sector. As a result the Executive Directors are in some cases unable to obtain a
consistent view of sector plans or ensure that the flexible strategy is being executed effectively in each
sector and in line with FCA priorities.
There is no single system of governance that supports the approach to risk management.
Similarly to the derivation of sector strategies and plans, each sector has implemented governance in
a different way. This has contributed to a mixed picture regarding the visibility of sector decision making
at Executive Director level. This impacts the ability of senior management to ensure that decisions are
being made in line with the supervisory strategy and the FCA priorities. In addition, there is lack of
robust and formal structured interfaces across supervisory and non-supervisory teams. This has
contributed to a lack of coordinated and consistent collaboration and knowledge sharing across the
organisation. As a result planning and decisions are often being made without input from all regulatory
parties.
Beyond the issues above that have arisen as a result of the inconsistent application of the flexible
approach there are more fundamental issues that have hindered the flexible firm strategy in achieving
its objectives.
The flexible firm supervision strategy requires supervisors to focus on market based risks, rather than
proactive, one-to-one firm based supervision. This focus is dependent on the FCA’s ability to be able
understand the market based risks based on its collective intelligence. However limitations with the
availability of quality data and the inadequate use of internal intelligence directly impacts the ability of
the FCA to collate appropriate intelligence across many sectors. In addition, the disparate approach to
risk identification and measurement across the organisation further compounds the impact on the FCA’s
ability to identify and mitigate risks and meet the objective of the flexible firm strategy. Our specific
findings related to data and risk management can be summarised under two broad areas:
In some sectors, Supervision does not have data of sufficient quality to allow the consistent
identification, measurement or monitoring of sector and cross-sector risks. Due to the lack of
conduct related data that is received from firms as part of the regulatory returns process the FCA is
restricted in its ability to consistently define conduct related market risks in some areas. The collation
and interpretation of market based risk is further impacted by instances in which sectors are not utilising
all potential data sources or data that may not be the most appropriate to support decision making
There are inconsistencies in how risks are measured, monitored and reported Risk appetites have
not been effectively translated and embedded into operational processes. This has created a disconnect
between the risk appetites and actual work being undertaken across Supervision. In addition, risks are
identified and defined in an inconsistent fashion across sectors which means that it is difficult to
compare and contrast risks across sectors. The lack of consistent risk identification, monitoring and
reporting means that the organisation is limited in its ability to ‘connect the dots’ and be confident that
it is able to identify emerging risks.
This report sets out our detailed findings in each of these areas.
Overall assessment
It is clear that the sectors have embraced the flexibility that has been provided to them as part of the
new approach to the flexible firm population. While this has resulted in some positive impacts on
supervision a number of operational complexities have surfaced which directly impact the management
of sector and cross-sector risk. Some of these issues could be addressed by the introduction of a degree
of structure coupled with a refresher exercise on the application of the flexible approach across the
organisation. In addition, the introduction of a formalised governance structure will aid communication
and visibility across sectors and divisions as well as up to Executive Director level.
The area of data and intelligence will require a focused review, and there is a data strategy being
developed. However, the current deficits in the data that the FCA receive and its subsequent utilisation
2
STRICTLY CONFIDENTIAL BETWEEN PA CONSULTING SERVICES LIMITED AND THE FCA
7. would benefit from a cross-sector review (potentially as part of the work to define the new data strategy)
to ensure that data becomes a key enabler to the identification and monitoring of market based risk.
3
STRICTLY CONFIDENTIAL BETWEEN PA CONSULTING SERVICES LIMITED AND THE FCA
8.
9. _________________________________________________________________________________
Background
The updated supervision framework expressly aims to put decision making as “close to the frontline
as possible”, with accountability at Sector Director or HoD level. This responsibility covers:
Defining and monitoring risk appetites;
Creating strategies to deliver against that appetite;
Mitigating key risks within sectors; and,
Governance and decision making processes.
The drive for flexibility and sector based decision making has empowered sector leadership to be
innovative in the ways their flexible portfolios are supervised. This section explores the resulting
variations, aims to highlight areas of positive practice but also those leading to operational issues in the
approach to supervision. This section considers the following:
The variations between sectors in the application of the framework (e.g. the definition of fixed vs
flexible firms and the contents of the sector strategies created);
The appropriateness of the balance between autonomy and conformity across sectors; and
The expectations of each sector and their understanding of the new supervisory framework.
The resultant governance and operational complexities from the variable application on the framework
are noted and are detailed further in section 3 of this report.
The autonomy provided to sectors has resulted in some positive outcomes but there are also
variations that suggest a misunderstanding or lack of confidence in the flexible supervision
framework
As mentioned above, the flexibility afforded to sectors as part of the supervisory approach has given
sectors considerable autonomy in developing strategies to manage risk in their flexible portfolio. Sectors
have used this autonomy to implement some logical and effective improvements to supervision,
including:
The variable definition of fixed and flexible firms depending on sector or sub-sector characteristics
or the data available to the sector team;
The customisation of risk appetites across sectors with qualitative decision criteria reflecting specific
sector characteristics. These include specific responses to payment systems outages or pension
scams. It should be noted however that while this innovation is positive, there are consequences to
this variation that require further attention. These are discussed in section 3;
Approaches to thematic or market based work are driven by the data available to each sector and
provide a basis for better understanding flexible firms; and
Innovative approaches to data gathering and analysis have been devised in response to the specific
characteristics of the sector or the data available.
In particular, there are several notable sector specific improvements in the management of supervisory
risk:
The flexibility in adjusting risk appetites has allowed Retail Investments to mandate that risk events
linked to pension scams and pension transfer suitability are always acted upon. This has allowed
the sector to respond to a specific risk to their market through the management of risk events;
Investment Management has undertaken an analysis of the sector and concluded that sectoral
characteristics such as the approach to investment (active vs passive) or the risk associated in the
investment strategy of a fund should be included in the definition of fixed and flexible firms rather
than simply size or assets under management alone.
Mortgages and Mutuals is able to leverage the rich data sources available to focus on multi-firm
interventions rather than just thematic analyses. It can directly manage market risks through targeted
firm based interventions resulting in more effective risk management; and
5
STRICTLY CONFIDENTIAL BETWEEN PA CONSULTING SERVICES LIMITED AND THE FCA
10.
11. While a number of the sector variations are largely positive, there are some instances in which the
activities and associated rationales represent a lack of confidence in, or understanding of, the
framework. Some notable examples include:
A lack of confidence
Four of the eight sectors examined have defined additional strata of the fixed and/or flexible firm
population (see table 1). The rationale for this approach varies across the sectors and is driven by
sector characteristics including the size of specific firms and the relative size of the fixed and flexible
pools. Specific examples include:
o In some sectors, “priority flexible firms” have been identified in order to maintain closer
communication with some flexible firms. This is mainly due to a lack of confidence in
the ability to carry out effective market based supervision and to rotate the fixed
portfolio and retain a wider view of firms in the flexible population. For example
Wholesale Banking carry out “mini-ASM” visits with flexible firms to maintain contact.
o In some sectors, particularly those with large flexible firms, there is a lack of confidence
in the ability to effectively supervise large flexible firms and this poses a risk to specific
sector objectives. For example, Retail Banking define “high priority” flexible firms as
they are not comfortable reducing the FCA’s visibility of these firms. This has led to a
proactive approach being adopted which the sector believes is not permitted under the
flexible approach e.g. undertaking visits so as to increase the level of understanding in
these firms. This approach has also been influenced by the introduction of Group
Supervision which has a bigger impact on Retail Banking aligned firms than other types
of firms.
In some sectors, there is a lack of visibility of Event Supervision data due to either a perceived
difficulty in the production of the data or a lack of quality data which is covered further in section 4.
Sectors have attempted to address this by adjusting the risk appetite statement and making specific
ad-hoc requests to the events team for the escalation of events associated with specific firms, risk
types or sources.
Misunderstanding
There is variable understanding as to the types of work available to the supervision of flexible firms.
In some sectors, only Pillar 2 work is carried out in the flexible portfolio, whereas in others proactive
supervision is undertaken in this population as a whole or a sub-set defined as “priority” firms.
Conclusion
The flexibility afforded to sectors in the definition of their approach to flexible supervision has yielded
some positive innovations. These include the creative alignment of fixed and flexible status and
adjustments to the risk appetites to reflect sector needs. These are positive innovations and should be
noted when applying good practice across Supervision.
However, there are also examples of variations that highlight a number of concerns that have not been
addressed by the framework. These activities have highlighted some deficiencies in the framework and
the level of understanding across sectors that require addressing. These include:
Sectors with large, high risk flexible firms (e.g. Retail Banking and Wholesale Banking) lack
confidence in their ability to manage risk without increased visibility and contact. The sectors believe
that a strict fixed / flexible structure as designed does not allow them to effectively monitor and
manage the risks associated with high risk flexible firms.
The level of understanding across sectors of the tools and data available to support the monitoring
of flexible firms varies considerably. This in turn directly affects the approaches that are adopted by
sectors to manage and monitor risk.
It should be noted that the lack of confidence in the framework and the ability to appropriately supervise
large, structurally important flexible firms can be interpreted as a lack of resource in the sector to carry
7
STRICTLY CONFIDENTIAL BETWEEN PA CONSULTING SERVICES LIMITED AND THE FCA
12. out the proactive, Pillar 1 supervision that would otherwise be undertaken. When reviewing the options
below to address this concern, the resourcing assigned to sectors to carry out the appropriate level of
supervision should be considered.
There are several options to be considered when addressing these concerns, depending on the level
of flexibility deemed appropriate at a sector level. These options include:
Review of the fixed / flexible definition criteria, including the link of these definitions to the overall
risk appetite for each sector. This should address the level of risk being taken on by those sectors
with large, structurally significant flexible firms as a result of the removal of fixed supervision.
Review of the toolkit available to sectors in the supervision of large, “priority flexible” firms. This
should include guidance on possible advanced flexible supervisory techniques (as well as non-
supervisory tools – policy, competition actions etc..) to address firms either transitioning from fixed
to flexible and tools to increase the level of engagement and / or direct communication with a sub-
set of the flexible population.
Implementation of regular, structured communication of best practice fixed population definitions
used across sectors and the tools used across Supervision to engage with flexible firms.
A lack of clear direction has resulted in confusion as to the role of sector strategies and House
Views
Although autonomy and flexibility is an explicit objective of the framework, a “how to” guide has been
provided to sectors. In the “Approach to supervising flexible portfolio firms” document, October 2015,
guidance is given as to the purpose of the sector strategy document, the relationship with the House
View process, the expected scope of contents, governance, review timescales and other information.
The accompanying schematic process flow is shown in figure 1, below. However, sectors are not
currently adhering to this process and in many cases are unaware that this is the expectation or the role
of the sector strategy. It should also be noted that some sectors have yet to complete a House View
and therefore cannot adhere to this process or expectation.
Figure 1: High level process for definition of sector strategies Source: Approach to supervising flexible
portfolio firms, October 2015
Differences in the interpretation and application of this guidance has led to the production of sector
plans that differ markedly in content and in some cases provide little visibility of the actual supervisory
approach that the sectors intend to adopt to address risks and how these link to the relevant House
View(s).
8
STRICTLY CONFIDENTIAL BETWEEN PA CONSULTING SERVICES LIMITED AND THE FCA
13. Specifically, this variable understanding surrounds the following factors:
The overall purpose of the sector strategy document. Although each sector and sub-sector has
taken a different view, there are broadly three interpretations as to the purpose of the sector strategy
document:
o A “budget statement” – a broad statement of the thematic and market based work to
be undertaken and the resourcing required to complete it. For example, Retail
Investments
o A “mission statement” – a high level statement of the strategic aims of the sector or
sub-sector, the key risks present in the sector, the strategy for thematic, market based
and communicative work to be carried out, a high level work plan for its completion and
broad statement of goals for the sector. For example, Retail Banking
o A “project plan” – a detailed expression of the risks present in the sector, both the key
risks expressed in the House View but also those of lower priority and how they will be
addressed. This includes a market analysis to set context, a link to the House View
risks and priorities, a detailed work plan including dependencies with other
departments, a communication plan and measures of success. For example,
Consumer Credit
The relationship between the sector strategy and House View. The risks and priorities
expressed in the House Views completed to date are seen by some as being of limited relevance to
the derivation of Supervisory sector plans. This is for a number of reasons:
o The House Views were developed out of sequence with sector plans – some House
Views were completed after sector plans so there is limited link between them.
o The risks identified are broad and of a high level, lacking the requisite detail to inform
action planning at a sector level.
For example, Pensions is a stated priority resulting from the House View
process. This could legitimately cover all risks in the Pensions and Retirement
Income sub-sector. This does not give the necessary detailed direction to drive
the prioritisation of lower level risks in the sector.
Another example is that of Retail Lending, which incorporates two very different
sectors – Mortgages and Mutuals and Consumer Credit.
o Some sub-sectors have a number of relevant House Views informing action planning
and it is therefore not clear how they are to be incorporated or balanced. For example,
Retail Investments is subject to two House Views without any guidance as to how to
prioritise between them.
This lack of clarity in the approach to sector Supervision planning has led sectors to focus on the aspects
of supervision within their direct control – namely the identification, and mitigation of sector based risks
with, in some cases, limited interaction with the House Views and other FCA departments. Figure 2 (on
the following page) shows a high level schematic of the current sector planning process.
The figure overleaf also documents some notable differences in the approach taken by sectors,
compared to the suggested process laid out in the approach document:
The process is largely contained at sector level. Although each sector’s risk process is different,
they uniformly lie within the sector. Although external teams are invited and engaged with at the
risk identification stage, in many cases there are limited interfaces at the stage of developing actions to
mitigate them. As can be seen above, the development of the sector strategy is influenced by the House
View and other departments and teams are invited to contribute. However, the decision making
responsibility for risk identification, measurement and prioritisation, as well as initiative development
and sign off lies with the sector.
9
STRICTLY CONFIDENTIAL BETWEEN PA CONSULTING SERVICES LIMITED AND THE FCA
14. Figure 2: The generalised sector planning process currently undertaken by sectors. See Appendix 3.
10
STRICTLY CONFIDENTIAL BETWEEN PA CONSULTING SERVICES LIMITED AND THE FCA
15. There is often limited or partial reference to the House View in the definition of supervisory actions
– as documented in the Supervisory sector plan. As discussed above, the House Views are
currently perceived by some as being too high level in detail to directly influence the mitigation of lower
level sector based supervisory risks and therefore do not play an active part in directing sector level
activity. As a consequence, sector plans are generated without explicit link to FCA priorities. The
resultant activities are not directly linked to them. There is consequently a lack of confidence that the
FCA priorities are being addressed effectively in some sectors.
Conclusion
There is no common understanding across sectors of the expectations on them under the framework
as currently designed. As a result, sectors design their work based on what is under their control, namely
sector based risk management. The consequences of this are:
House Views are not being consistently used as the driver of sector activities and in some cases,
FCA priorities are not explicitly acted upon or reported against;
In some areas there is a lack confidence that FCA objectives will be realised;
Although risks are often identified collaboratively the associated sector Supervision plans and
activities are not always generated and executed via a collaboration across supervisory and non-
supervisory teams;
There is a lack of visibility as to sector activities for senior stakeholders and non-supervisory
departments; and
There is a loss of transparency and confidence at senior levels and with customers of Supervision
(e.g. Enforcement) in the framework as designed.
The overall objective, linkage of House views, sector planning and ultimately the link to the supervisory
approach needs to be recommunicated and refreshed across the FCA. There are a number of
improvements available to address these concerns:
Define a standard output for sector strategy documents taking into account the various sector
characteristics but defining the elements required across all
Increased education and communication of the role of the sector strategy documents and how they
are to be used to communicate FCA priorities and the actions taken at sector level to address them.
Clarify the role of the House View in the development of sector strategies. This is a broad point, but
the following activities could be considered:
o Clarify the level of risk addressed at House View level and the expected alignment to
sector level risks, so as to reinforce the link between FCA priorities, House View risks
and the actions taken at sector level to address them. Risk definition is detailed further
in section 6.
o Clarify the expected use of the sector strategies in communicating sector priorities to
Supervision and non-Supervision teams. For example, clarify how Enforcement are to
prioritise action on risks from one sector or another. Interfaces with other departments
are discussed further in section 3.
o Increase visibility of sector strategies at senior level through structured sign off and
governance. Governance is discussed further in section 7.
o Provide structured guidance as to the frequency of review and alignment to BAU sector
activity – namely updates to CRM of sector based risks.
o Institute robust tracking of activities once aligned to FCA priorities and House View
risks. This should include objective measurement of risks and changes over time so as
to increase visibility as to progress towards FCA objectives
11
STRICTLY CONFIDENTIAL BETWEEN PA CONSULTING SERVICES LIMITED AND THE FCA
16. Figure 3: Summary of the contents of sector strategy documents
12
STRICTLY CONFIDENTIAL BETWEEN PA CONSULTING SERVICES LIMITED AND THE FCA
17.
18. The autonomy of process and decision making is positive and appropriate in the
management of supervisory risk: Sector teams have the required expertise, knowledge and
understanding of sector supervisory risks as so to effectively identify key risks as well as the external
knowledge and other inputs required to prioritise them. The definition of the process of risk
identification and the design of thematic work are correctly under the responsibility of sector teams
There is insufficient conformity of output both in terms of flexible firm definition and sector
strategy documents: As detailed above, sectors are in agreement that there are advantages to the
creation of detailed standard guidelines for the output of the sector strategy process, both in terms
of the rationale for defining fixed and flexible firms but also the contents of the sector strategy
document.
Conclusion
There is a consensus view across sectors that the standardisation of sectoral strategy documents would
be beneficial to the overall supervision of flexible firms and in the creation of a defined set of criteria for
the definition of fixed and flexible firms. This would provide a consistent goal for each sector strategy
document, allow the comparison and contrast of plans and ease coordination across the sectors.
However, sectors believe autonomy over the specific process of risk identification, prioritisation and
management is appropriate as currently designed.
Specifically, the production of standardised guidelines on the expected content of a sector strategy
document would aid the production comparable sector strategy documents. Specific content
suggestions have been suggested, however a further review and detailed design is required to support
alignment to House Views, meet any sector specific requirements as necessary and also allow input
from the suppliers of Supervision (e.g. Enforcement).
14
STRICTLY CONFIDENTIAL BETWEEN PA CONSULTING SERVICES LIMITED AND THE FCA
19.
20.
21.
22. _________________________________________________________________________________
Background
Following on from the changes to the structure of supervision and the implementation of the flexible firm
strategy last year, amendments to supervisory governance have also been made. The implementation
of the Senior Managers Regime in the FCA has resulted in the single Divisional Risk Committee (DSRC)
being devolved into two forums of governance for SRA and IWS. Governance reviews have also
resulted in the committee designed to review Pillar 2 risk events being disbanded (SREC).
The revised approach to flexible supervision has provided autonomy to the sector Directors and HoDs.
There are no guidelines as to how the governance of sector planning should be structured or how risks
should be presented and escalated to senior stakeholders.
There is currently uncertainty on how the governance of flexible supervision should be implemented
and the future of historic forums and escalation channels. For example it remains to be seen if Divisional
Risk “Away Days” will be reinstated. Collaboration between supervisory teams, including Specialist
Supervision, Event Supervision, Authorisations and non-supervisory teams (Competition, Enforcement,
etc.) has not been mandated in the operational processes to date.
The current interaction between these teams is a result either of specific sectors proactively
implementing cross-FCA forums, or as a result of personal relationships. Consumer Credit, in particular,
has maintained the governance and interface structures that were put in place as part of the initial
consumer credit project.
A review of a subset of the governance processes and decision making is ongoing – it has been
recognised that there is a lack of a decision making framework within the organisation, and the result
of this work is likely to address some of the findings identified here.
This section considers the following:
The governance of the operational consequences from the changes to the flexible supervisory
framework.
The effectiveness of escalation of risks to senior stakeholders.
The extent to which effective collaboration is taking place between supervisory and non-supervisory
teams.
The governance framework varies across each sector. In some cases this has led to a lack of
visibility, transparency and confidence in the framework at Executive Director level
The flexibility afforded to sectors as a part of the flexible supervisory framework includes responsibility
over governance processes. As a result of this, sectors have defined individual sector specific
governance arrangements for the following processes and outputs:
Risk identification, measurement and prioritisation;
Sector strategy and plan development and sign-off; and
Multi-firm and market based Pillar 3 work.
Figure 6 overleaf shows the data and governance flow for the risk management and sector supervision
planning process and documents the sign off stages for risk prioritisation, sector strategy development
and the tracking of multi-firm and thematic work on an on-going basis.
This generic process flow does not include the various different forums, meeting structures, attendees
and recurrence schedules across sectors.
18
STRICTLY CONFIDENTIAL BETWEEN PA CONSULTING SERVICES LIMITED AND THE FCA
23. Figure 6: Data flow throughout the risk management and sector planning process
19
STRICTLY CONFIDENTIAL BETWEEN PA CONSULTING SERVICES LIMITED AND THE FCA
24. However, it highlights the limited governance structures beyond the Sector level. It shows that the
sector HoD or Director is responsible for signing off:
The CRM risk map showing the high priority risks in each sector and those prioritised for mitigation
or further analysis through thematic or multi-firm, market based Pillar 3 work;
The risk appetite statements related to the resolution of risk events;
The definition of success criteria of Pillar 3 thematic work;
Progress of Pillar 3 work, through sector based governance forums and criteria; and
Closure of risks in CRM, either following successful Pillar 3 work or through natural degradation of
risk priorities.
Figure 7 below is a governance map setting out the forums across the divisions and sectors that are
currently used for the governance of risk identification, initiative prioritisation and initiative governance.
It highlights the different governance approach across the sectors in the consideration of supervisory
risk.
Figure 7: Sector planning governance map
In comparison, at the Executive Director Level the only formal associated governance relates to the
sign off of actions taken against “watch list” firms. Any further visibility at Executive Director level of
actions taken to identify, measure, prioritise, monitor or report sector risks is based on individual sector
discretion, ad-hoc requests or through escalation of risks requiring action above sector level.
Without a mandated governance process, the Executive Directors do not have a consistent view of the
planning and prioritisation across sectors and divisions. This impacts their ability to ensure that strategy
and planning is conducted in line with the FCA objectives and the House View. This also inhibits the
identification and governance of cross-sector work.
Furthermore, the lack of standardised governance processes means that other teams, both in
supervision and across the wider FCA, don’t consistently have a clear view of sector strategy plans or
prioritisation.
Conclusion
The flexibility given to supervision in the governance of the risk management processes and sector
supervision strategy development has given rise to a situation where limited visibility is provided to the
20
STRICTLY CONFIDENTIAL BETWEEN PA CONSULTING SERVICES LIMITED AND THE FCA
25. Executive Directors. The lack of a clear decision-making and escalation framework that includes
Executive Directors limits the ability of senior leadership to have confidence that the right decisions are
being made. In addition, the lack of visibility also impacts the Executive Directors ability to ensure that
resourcing is being distributed appropriately according to the strategies across the sectors.
The implementation of a decision-making framework to clearly define the type of decisions that should
be made by each level of supervision, including the decisions that should be made by the Executive
Directors, would provide a level of transparency and oversight for senior leadership. Further to this, a
baseline governance structure – e.g. standard forums across sectors – should be considered to attempt
to achieve more consistency and visibility of decision-making within each sector.
The different interpretations of the flexible supervision framework have led to operational
complexities that currently do not have governance structures to manage them
Sectors have made use of the flexibility afforded to them by the revised approach to the supervision of
flexible firms to implement changes to their approach.
Interactions with Specialist Supervision. The overall supervisory approach for some firms is
made up of a combination of specialist and sector supervision. To maintain a coordinated
supervisory approach specialist and sector supervision must collaborate effectively. There is
currently no formal, mandated process to support this collaboration.
o In the case of the “hybrid model” undertaken in Financial Crime supervision, the
interaction between sectors and specialists for flexible firms requires additional
structure. The lack of a named supervisor for flexible firms (as is the case for fixed
firms) means the current one-to-one interaction no longer applies and a flexible
interaction model is not yet in place to link the specialist supervisor to case workers in
the sector teams.
o Of particular concern are prudential risk events for firms defined as flexible within
sectors are managed within Event Supervision. This includes those firms ranked as P1
– those of largest prudential risk. It is critical that when a P1 fixed firm is reassigned to
the flexible portfolio that the P1 status is communicated to Event Supervision. Again,
there is currently no formal process to support communication.
Additional Requests on Event Supervision. Sectors actively adjust the escalation criteria
employed by Event Supervision. Additional requests for escalation add operational complexity and
require balancing with those of other sectors. This complexity, unless properly managed can impact
Event Supervision’s ability to deliver the efficiencies for which it is designed.
Coordination of firm interactions in Group Supervised firms. Flexible firms can be dealt with by
several departments across the FCA including specialist supervision, sector supervisors, thematic
and multi-firm work. While the Group Supervision model is still relatively new, there is a risk that
without effective communication between these departments a firm can be contacted without the
knowledge of all interested parties leading to reputational damage to the FCA and ineffective
supervision. Structured communication is also required to gather the correct information across the
group and coordinate interactions with the firm as a whole
These operational issues are not currently managed in a structured way that is uniform across sectors
and is largely dependent on sectors, event supervision and specialist supervision working
collaboratively on an informal basis. While in some cases there are governance mechanisms at an
immature stage (e.g. review and audit of interactions with Event Supervision) collaboration is not
currently structured and robust.
Conclusion
There are operational consequences of the different approaches to flexible supervision across sectors
that currently rely on ad-hoc collaboration. Often this functions as a result of personal relationships
between staff and teams, rather than a robust and consistent governance framework.
21
STRICTLY CONFIDENTIAL BETWEEN PA CONSULTING SERVICES LIMITED AND THE FCA
26. These examples all relate back to the lack of existing interfaces and the importance of effective
governance to mitigate these risks:
Communication between Specialist Supervision on the fixed and flexible firm population and their
relevant specialist categorisation, particularly for prudential;
Ad-hoc requests on Event Supervision reducing their ability to realise the economies of scale for
which it is designed; and
The differences in Group Supervision of the fixed and flexible parts of the group
Consideration should be given to how governance and interface structures should operate between the
impacted teams mentioned in this section.
The quality of interactions between teams varies which directly impacts cross-sector and cross-
organisation knowledge sharing, risk mitigation and planning
Across the FCA the interaction between teams and divisions is largely informal and unstructured. This
isn’t necessarily an issue in itself – there are examples of where the informal interfaces that have been
established within the teams are effective:
Risk identification – In general, the sector teams have been effective in incorporating non-
supervisory teams in the risk identification process. This has ensured that the widest range of
knowledge and expertise is leveraged. This is particularly true of Consumer Credit, in which a parallel
planning process - through a series of working groups - has been implemented to mitigate
deficiencies in the data available. This process is shown in figure 8 below.
Figure 8: The Retail Lending Risk Identification and Prioritisation process. See Appendix 6 for full
process flow
The Consumer Credit area has effective interaction across Authorisations, Event triage and Sector
Supervision and feedback has indicated that this facilitates good knowledge sharing and planning.
This has been supported by the structure of having specialised Authorisations and Events teams
dedicated to Consumer Credit, and by the legacy of programme management governance
structures.
Wholesale, including the Wholesale Banking and Infrastructure and Trading Firms sectors have
good interaction on issues that relate to both sectors, as well as good interfaces outside supervision
– for example with Market Monitoring.
There are, however, areas where the communication and knowledge sharing between teams breaks
down:
22
STRICTLY CONFIDENTIAL BETWEEN PA CONSULTING SERVICES LIMITED AND THE FCA
27. The planning process: while all supervisory teams have a role to play in firm supervision, including
Authorisations, Events, the Contact Centre and the Specialist teams, they aren’t always being
represented during the planning process that will prioritise risks and set the strategy for the firms
they are interacting with.
Risk prioritisation and mitigation: Currently other sector teams and non-sector supervisory teams
aren’t always contributing to the planning of actions to mitigate risks or take the appropriate actions.
This is particularly true of the mitigation of cross-sector risks. For example, should a policy change
be required to effectively mitigate a priority risk for supervision, there is no structured method of
interaction to ensure these changes are made. This decision will have to be made by the appropriate
governance structure with the Policy team.
Enforcement: There are joint ventures in place to coordinate the interactions between supervision
and enforcement. However, the difference in prioritisation criteria between the two departments
restricts effective collaboration. Specifically, although Supervision prioritise risks based on impact
and probability of occurrence, Enforcement prioritise interventions based on these and additional
factors, for example, the likelihood of successful action. The burden of evidence required is often
more difficult to secure in flexible firms where there is limited interaction with firms.
Authorisations: Apart from Consumer Credit, the interaction between Sector teams and
Authorisations is often limited. There is often little collaboration in defining risk appetite statements
which can lead to differences in the interpretation and application of the risk appetite.
Specialist Supervision: Specialist teams operate separately, with varying levels of interaction with
the Sector Supervisors. CASS operate an outsourced model with sector supervision, while Financial
Crime operate a hybrid model in which the responsibility for the supervision of Financial Crime issues
is split between sectors and specialist supervision. The lack of structured collaboration has limited
the visibility of what actions are taken by which team and therefore the FCA wide actions on
specialist risks and the accountability for those actions is often unclear.
For areas where the interfaces are informal, there are good interactions and communication taking
place, but this is typically dependent on individual relationships or where a sector is more proactively
facilitating cross-supervision communication.
Conclusion
In general the interfaces, between supervisory teams and non-supervisory teams, are informal and
unstructured. While this approach appears to be working well in some cases the informal approach
does not ensure consistent interaction across teams.
The lack of formality and structure results in key areas of the supervisory divisions being left out of
important risk and planning discussions. In addition, the structured interfaces that do exist, such as
those between Supervision and Enforcement, are not as effective as they could be due to the lack of
common priorities and approach.
Consideration should be given to how collaboration can be improved between sectors, including
whether structured forums for cross-supervisory and cross-FCA review of risk prioritisation and sector
planning would be appropriate. In other cases, where forums already exist, a review of these could help
identify where they are working and what areas should be improved.
A lack of structured interfaces between Sector Case teams and the Contact Centre and Event
Supervision has impacted operational efficiency and the effective management of risk
Pillar 2 supervision is reliant upon open and efficient communications between key parties, and the
interaction between Event Supervision and sectors is critical. The current ad-hoc nature of the interface
between Event Supervision and sectors results in variable responses to the mitigation of risks. In
situations where there is standard, structured communication, the escalation rate is higher which leads
to the right level of expertise being engaged. This is not the case when the interaction is less structured.
23
STRICTLY CONFIDENTIAL BETWEEN PA CONSULTING SERVICES LIMITED AND THE FCA
28. Furthermore, when compared to the local approach undertaken in Consumer Credit with a dedicated
triage function as part of the sector supervisory team there is a noticeable difference both in terms of
resource efficiency but also risk management effectiveness. Some notable examples have been listed
below:
The application of sector expertise and a close working relationship between the Consumer Credit
triage function and the Contact Centre has lowered the volume of cases reaching the sector case
team incorrectly from close to 40% to less than 30% today.
The level of interaction between case teams within sectors and Event Supervision directly affects
the escalation rate and the appropriateness of mitigation action. The sectors with direct collaboration
as part of the escalation process (Retail Lending and Investment Management) see the highest
referral rate of risk events from Event Supervision, 20% and 27% respectively. These sectors
mandate communication being passed between the sector and Event Supervision in the escalation
of every case. This is compared with the lowest rate of referral (7% - Retail Banking) belonging to
the sector without any structured collaboration as part of the process. While this is a good proxy
measure, it should be noted there are several possible causes for this variation and additional
analysis is recommended to verify this conclusion fully.
Conclusion
There are a number of factors that influence the referral metrics, including the level of risk appetite in
each sector and the relative importance of the flexible population, but there is evidence to suggest that
the level of collaboration between sectors and events teams can have an impact on the resolution of
Pillar 2 risk events.
As mentioned in previous sections, consideration should be given to whether structured governance
forums would be appropriate to improve collaboration across teams. It may also be appropriate to
review whether a sector-aligned approach to Event Supervision might also improve operational
efficiency without detracting from the benefit of having a central team to process events.
A more effective collaborative approach could deliver:
Improved resource efficiency in sector teams and triage due to the timely intervention of sector based
expertise to close risk events efficiently
More appropriate risk mitigation actions are applied to those risk events benefiting from a structured
escalation processes between Event Supervision and Sector case teams.
24
STRICTLY CONFIDENTIAL BETWEEN PA CONSULTING SERVICES LIMITED AND THE FCA
29.
30.
31. makes it difficult to understand the underlying trends in firms, such as identifying what is driving profit
growth.
The data is not forward looking which inhibits the ability to forecast trends.
Firms do not report in the same way, particularly larger firms consisting of several departments. For
example, will submit figures that do not include their credit card portfolio, whereas other
firms will include these portfolios in their submissions, therefore returns are not easily comparable.
Firms submit errors on their regulatory returns. This often causes alerts to be triggered incorrectly,
and subsequently alerts are often ignored.
Consumer Credit – The sector not only lacks structured regulatory return information fit for conduct
supervision but also 80% of consumer credit is limited permission. This effectively limits the
information available further.
These sector specific deficiencies present sectors with challenges that in some cases detract from their
ability to supervise both fixed and flexible firms. The risk to supervision of flexible firms is exacerbated
however by the lack of direct contact with firms and the subsequent ability of supervision to gather firm
data directly. In response, sectors have developed a number of short term initiatives to derive
intelligence on their flexible populations. These tend to be tactical solutions that are owned and
managed within the sectors. This creates an extra burden on FCA resource and effectively prevents
other Pillar 2 or 3 work being carried out. There are 4 broad responses under way:
Bringing together knowledge of other FCA departments to fully utilise the available expertise. For
example, Consumer Credit run a series of working groups for this purpose and to inform their sector
strategy (see section 3 for further details)
Leveraging existing internal data to derive any insight available to the FCA without redefining
regulatory return information. For example, GI&P are extending their use of Contact Centre data to
derive further insight despite its raw nature.
Using Pillar 3 work to generate data in a one-off or short term basis. Retail Investments and
Wholesale Banking use Pillar 3 work to implement a one-off, or short term data gathering exercise
in order to better understand high risk flexible firms and identify important characteristics to form the
basis of a “profile” of risky flexible firms.
Define a data strategy and new regulatory return data. For example, Pensions and Retirement
Income are currently defining a data strategy to restructure the regulatory data received from firms.
Conclusion
The data collected from firms in regulatory returns forms the foundation for supervision across both
fixed and flexible firms. This data is of increased importance to flexible firms due to the lack of one-to-
one contact and oversight. In some cases regulatory returns form the only regular contact with flexible
firms and the only opportunity to review their conduct.
Currently, the data gathered in this form is not aligned to the FCA’s expanded conduct remit and is
therefore not fit for the purpose for which it is now used. This has several consequences for flexible firm
supervision:
Knowledge of the flexible firm population is limited to aspects not entirely relevant to conduct
supervision;
Event Supervision are required to respond to alerts raised by breaches of thresholds not relevant to
conduct. This adds to its remit and reduces their ability to respond to conduct issues; and,
Sectors use their limited resource to gather other data not supplied through regulatory returns
information.
While it is a lengthy process to define an updated data strategy and a thorough regulatory return
framework – involving detailed design, consultation with firms and potential restrictions put in place by
the Enterprise & Regulatory Reform Act 2013 – the absence of it presents significant challenges to
27
STRICTLY CONFIDENTIAL BETWEEN PA CONSULTING SERVICES LIMITED AND THE FCA
32. sectors and detracts from the effective supervision of flexible firms in particular. Furthermore, there is a
balance to be struck as to the amount of data gathered, without being disproportionate in comparison
to the risks being mitigated.
Specifically, the following actions are recommended:
Review of returns: Sector teams should identify their analysis and regular reporting needs. The
review should address whether these needs can be answered by the existing data, what data would
be needed to address these gaps, whether the data can be collected, and if not, what proxy data
could be used. The review would identify consistent needs across sectors and inform what should
be delivered by the regulatory returns.
Review the formats of submissions to reduce firm errors and provide further guidelines on
completing.
Risk event data is aligned to firm risks, restricting the ability of sectors to derive insight into
market trends
In response to lacking regulatory return data relevant to conduct issues, some sectors have looked to
the data gathered by the FCA directly through Event Supervision to derive insight into risks and trends
in their sectors. This data is not currently structured for this purpose and presents challenges in deriving
market trends.
Currently, cases in the Contact Centre and risk events handled in Event Supervision and the Consumer
Credit and Infrastructure and Trading triage functions are allocated to firms or legal entities through
Intact and are escalated as required on this basis.
Figure 9: Schematic relationship between sector risks (green) and risk events (orange)
However, when investigating risk events across firms within a sector or between sectors it is necessary
to link risk events by the characteristics of the risk, rather than just the firm. Figure 9 above shows a
schematic representation of the analysis required. To understand sector risks, specific events must be
linked together between firms and sectors. Only then can detailed and relevant insight be drawn as to
the scale, impact, root cause and precise nature of the sector risk.
Currently, the information stored within Intact prevents this from being analysed in a structured way.
There are several underlying reasons for this:
The “tagging” of risk events to a risk type is not always sufficiently granular to derive meaningful
insight. The current groupings available are at a high level and do not provide enough clarity as to
the precise risk type – for example “Governance” or “Culture” are potential tags but are not detailed
enough to derive insight into market trends.
The expertise of Contact Centre or Event Supervision staff is not sufficient to accurately provide
granular risk information based on limited interaction with consumers or information on the risk
event, particularly given the limited information available to them.
28
STRICTLY CONFIDENTIAL BETWEEN PA CONSULTING SERVICES LIMITED AND THE FCA
33. Tags are not currently uniform across sectors, meaning risks common to multiple sectors cannot be
tracked with sufficient clarity. For example, miss-selling cannot be tracked across the multiple
sectors and products for which it is relevant.
The tags are not always used correctly. Consumer Credit use a workaround by putting a code in the
subject line to identify consumer credit type.
Further to the recording of risk events in Intact, the events aligned to risk types are not always mapped
to the sector risks used to define sector strategies and plans. This is due in part to sector risks being
stored in CRM while risk events are stored in Intact. This is detailed further in section 5. This presents
a number of practical constraints for sectors in the identification, measurement and reporting of sector
risks and their mitigation:
Sector risks cannot be linked to risk types in Intact effectively, meaning it is not possible to track the
growth (or degradation) of sector risks through the information directly collected by the FCA.
Sector risks cannot be tracked in fixed and flexible firms as risk event information is stored in different
systems.
A mapping exercise is therefore required to link risk event data between fixed, flexible firm risks and
sector risks in CRM.
Conclusion
The approach to flexible supervision now in place demands that market risks can be identified,
measured, monitored and reported across populations of firms and sectors without the need for firm by
firm intervention.
Currently, Intact is not structured in this way and this directly affects the ability of sector teams to view,
understand and derive insight into the impact and probability of sector risks common to a large selection
of firms. The consequences of this include:
Sector strategies and everyday sector supervision actions are not aligned to the risk events being
reported by consumers to the FCA as these events cannot be used to derive sector risks.
Sectors naturally continue to approach supervision on a firm by firm basis as this is how data is
presented to them. This prevents them from successfully moving to a market led approach as the
flexible strategy dictates.
The actions taken to mitigate sector risks cannot be tracked objectively through the information
directly available to the FCA. The FCA therefore cannot use its own information to provide evidence
that its objectives are being met.
It should be noted that action is under way to address this concern through the implementation of risk
tags in Intact so as to track sector risks through the associated risk events. This is necessary but not
sufficient to meet the needs of sectors and Supervision more generally.
Further to this initiative, the following actions are recommended:
Tags development should cover all sectors and provide a foundation to compare risks across
different sectors and between those responding to risk events in local triage functions. For example,
a miss-selling risk event could be compared across sectors as it shares characteristics not specific
to one sector or sub-sector. It is therefore required that risk events with this tag be understood in the
same away across sectors and have a definition across products and markets.
Tags should be representative and mapped to sector based risks to ensure that the growth or
degradation of sector risks can be monitored in a robust fashion.
Robust, standards processes for updating tags should be designed and implemented. This should
incorporate the definition of periodic review, roles and responsibilities for the ownership and updating
of tags, their mapping to sector risks and any ad-hoc requests in response to Pillar 3 studies should
they be required.
29
STRICTLY CONFIDENTIAL BETWEEN PA CONSULTING SERVICES LIMITED AND THE FCA
34. Although valuable due to its unstructured and unprompted nature, the data gathered through
the consumer Contact Centre is also raw and therefore should be used with caution when
deriving market insight
The data gathered from consumers through the Contact Centre is often based on small amounts of
information and / or short interactions with those involved. In some cases the quality of information
gathered at this stage is limited. While not all sectors make use of this data – and in some cases
unstructured data can be used effectively – it is important that when using this information this constraint
is acknowledged and the derived insight is appropriately caveated.
It is important to note at this stage that this is not a comment on the efficiency of the Contact Centre.
Often consumers contact the FCA for reasons other than to report risk events or examples of
misconduct. For example, they contact the FCA because they believe they are contacting the firm
involved or the Financial Ombudsman Service. In some cases they require advice or guidance as to
whom they should contact. The amount of information that the Contact Centre can access is often small
and they are required to make decisions not only with this constraint but also when lacking the expertise
to interrogate what information they have efficiently.
Furthermore, the data gathered from the firm Contact Centre is a valuable source of information
regarding firms’ experience of regulation and that from the consumer Contact Centre is an important
tool for gathering unstructured, unprompted consumer contact. By interrogating the data, a number of
significant innovations have been piloted that could be considered for extension across the organisation:
Voice analysis: All calls are recorded through the Contact Centre and therefore voice analysis can
be used to derive key words being used and from that trends in the reasons for consumers and firms
to call the FCA.
Text analysis: Due to the need for the Contact Centre to document information in free text fields,
standard tagging can be problematic. With robust text analysis, trends in key words and firm names
could be derived that – like voice analysis – point to emerging trends in the market.
There are currently limitations to the insight derived from the volumetric analyses carried out currently
using the consumer Contact Centre information in particular.
Figure 10 shows a volumetric analysis of the cases escalated from the Contact Centre and other
sources, through Event Supervision to the sector teams. The width of lines represents the relative
number of cases at each stage of the process and the grey line highlights the closed cases at each
stage without any further action being taken. When interrogating this analysis it is important to note:
Data corresponds to the year April 2015-March 2016 and has been drawn from 3 sources – Contact
Centre, Event Supervision & Consumer Credit MI;
Event Supervision volumes have increased in the last year due to the on-boarding of larger flexible
portfolio firms
Closure reasons do not align in all cases – Consumer Credit and Event Supervision “no breach”
closure reasons are not used defined in precisely the same way (Events close as ‘no breach’ where
a case has been raised and subsequent analysis and investigation shows there has been no
regulatory breach. This may involve contact with the firm in some situations. Consumer Credit use
this closure reason to signify cases where no analysis, investigation or action has been taken); and,
Event Supervision risk event volumes do not include approximately 2,500 non-discretionary cases,
MP letters, FOIA requests or requests for information from other organisations
This analysis highlights a number of important points to note when deriving insight and intelligence from
the Contact Centre data:
30
STRICTLY CONFIDENTIAL BETWEEN PA CONSULTING SERVICES LIMITED AND THE FCA
35. Figure 10: A volume flow of crystallised risk cases and risk events. Sources: Risk Event data 2015-16
31
STRICTLY CONFIDENTIAL BETWEEN PA CONSULTING SERVICES LIMITED AND THE FCA
36. 97% of all cases that reach the Contact Centre are closed without escalation to a risk event.
This does not necessarily mean no action was taken as the Contact Centre often offer advice
or direction to firms or consumers. This indicates the number of queries made of a sector, firm
or product by consumers but does not give an indication as to the risks present in a sector.
Even those cases escalated to Event Supervision or the Consumer Credit triage functions are
often not actionable and provide limited insight. In Consumer Credit triage – who have made
considerable efforts in cleaning the data from the Contact Centre and have provided guidance
in data quality – approximately 30% of cases are closed with no action taken or no breach found.
Figure 11 shows the data and decision flow through the crystallised risk process. It shows the evolving
nature of the data available to associates and the relative value of the MI produced.
Initial contact by consumers and firms. As discussed above, data at this stage is raw and is
based on limited interactions with customers and firms. Data at this stage is of limited value to
the identification of risks
Once Event Supervision have assessed and scored each risk, cases can be identified, classified
and scored, all be it at an approximate level only. Volumes of cases at this stage give an
indication of the scale of risk volumes, rather than merely consumer contact volumes
Upon escalation, the risk appetite has been applied twice. Cases at this stage have been verified
as risk events and form a solid basis for deriving insight into the volumes of cases appropriate
to each risk type
At this stage, further action and analysis has been undertaken by either Event Supervision or
Sector supervisors. Risk event volumes at this stage are a good reflection of the nature of the
risk and associated specific. As an example, the evidence that resulted in where
Event Supervision played a key role in identifying an emerging risk across several firms.
Conclusion
Contact Centre data is valuable due to its unprompted and unstructured characteristics. The data is raw
and non-validated. Therefore it does not necessarily align to risk events or market intelligence. The lack
of other available data coming to the FCA has driven some sector teams to interrogate the MI available
from the Contact Centre to derive insight into market trends.
This practice has several consequences that may detract from the supervision of flexible firms:
False conclusions could be drawn. Trends apparent in consumer Contact Centre data are not
guaranteed or often not likely to represent trends in underlying market risks
The availability of Contact Centre data has led some sectors to focus on this date rather than develop
validated data sources. For example, sectors do not actively work with Event Supervision to
implement MI based on clean, verified data.
Given the lack of verified information available to Contact Centre associates, there are limited
actions that can adjust the resulting MI. The associated limitations of Contact Centre MI should be
recognised and understood by all parties using it.
The following actions could be considered:
Review the use of Contact Centre data to define the positive outcomes and appropriate use of the
information.
Review the possible extension of voice and text analysis to maximise the insight available from the
unstructured data available
32
STRICTLY CONFIDENTIAL BETWEEN PA CONSULTING SERVICES LIMITED AND THE FCA
37. Figure 11: Data flow in crystallised risk
33
STRICTLY CONFIDENTIAL BETWEEN PA CONSULTING SERVICES LIMITED AND THE FCA
38. Validated data sources, both internal and external have not been developed to their full potential
There is a large amount of clean, validated data potentially available to sectors. However this is not
being fully utilised due to a lack of knowledge of what is available and how best to use and interpret the
data. Therefore there is intelligence not being used to inform sector planning and identify potential risks.
This could result in market risks not being identified and mitigated.
Validated data sources include, but are not limited to the following:
Event Supervision risk events. This information has been reviewed, analysed and assessed for
cleanliness and accuracy. It has also been scored for potential impact.
Financial Ombudsman Service. Like Event Supervision, the data available to the FCA through a
robust connection to the FOS offers clean, validated and assessed information directly related to
financial conduct
Firm Complaint data. This data is directly related to firm conduct and to the products offered by
firms. Used correctly, data directly submitted from firms can provide primary evidence as to conduct
issues arising the market.
Authorisations data. This data can provide information on new firms entering the market, and
insights on the direction of growth in the market
There are a number of constraints currently preventing sectors from making full use of these validated
data sources in their analyses that can be addressed through short to medium term actions. These
include, but are not limited to:
A lack of official link and understandable process to access the data. In the case of the FOS, the
data is in some cases referred to but not on a structured and coordinated basis that ensures risk
types are measured and monitored across sectors.
A lack of understanding as to how to access the data. Complaints data is currently stored in BI /
COGNOS and not all sectors understand how to access it. It is also firm specific so requires
interrogation to derive risk specific insight.
A lack of visibility. Event Supervision have only recently begun publishing systematic MI on risk
events and their resolution.
Poor risk type tagging. As detailed above, Event Supervision data in particular has in some cases
been avoided due to a lack of linkage to sector risk types
Inconsistent use of sector tags. For example sector tags are not used in authorisations, which make
it difficult to link back to risk within sectors.
Data is stored in multiple warehouses. The existing systems limit the sectors ability to join up multiple
data sources to create a holistic view of the market. Teams must manually extract data and conduct
separate pieces of analysis. This is resource intensive, and limits the sectors ability to conduct
market wide analysis.
In the specific case of Event Supervision, there appears to be a reluctance or a lack of understanding
on the part of sectors to work with them to generate standard, relevant and timely MI to support the risk
identification and measurement processes. While in some cases sectors have approached Events in
order to gather useful data, there have also been several others actions taken to either gather the
information by different means or gather proxy metrics and data as a substitute.
These are often not optimal and include:
Referring to raw, unstructured data instead. As discussed below, some sectors are referring to the
raw data available to the FCA as a substitute for cleaner risk event information.
Requesting specific risk event types be escalated directly to sector case teams. Instead of
monitoring MI, some sectors have asked specific case types to be escalated to them without Events
taking action – irrespective of risk score – so as to maintain visibility of certain risk types.
34
STRICTLY CONFIDENTIAL BETWEEN PA CONSULTING SERVICES LIMITED AND THE FCA
39. Ignoring risk event data altogether. The lack of relevance, timeliness or perceived low quality as
caused some sectors to avoid using risk event data in their analysis of sector risks altogether
Conclusion
Validated data sources are available to the FCA without the redefinition of regulatory returns data or
undertaking specific data gathering exercises. These include both internally generated data, for
example Event Supervision and complaints data but also external data in the form of that gathered and
actioned by the Financial Ombudsman Service.
The consequences of these sources not being developed includes:
Lower quality data sources are used instead. As detailed above, the use of Contact Centre data in
particular has potential negative consequences to supervision
The understanding of risk types across the flexible portfolio is reduced, directly affecting supervision
Resource is spent interrogating low quality data
To address these concerns and improve the overall quality of data available to sector teams, the
following recommendations should be considered:
Education on all internal sources of information, so sectors understand the existing intelligence
within the FCA. Following this, a review of the internal intelligence by sector to identify how the data
sources can be used in market analysis and risk identification.
Regular compliance reporting to ensure the data is kept up date and data fields are completed.
Review of existing alerts by sector
Definition of a standard approach to extracting data across sectors and systems
Clear owner of each system for quality controls purposes
Up to date data dictionary of available sources, fields and systems that sector teams can use as a
reference to understand the available data.
The longer term solution would be to have all data stored in the same system with unique identifiers to
link firms. As part of the data strategy, the existing systems are being reviewed and a central warehouse
is being created in amazon cloud.
The quality of data stored in Intact is impacted by inconsistent practices and structural issues
In addition to the constraints on data analytics and the quality of intelligence derived from it discussed
above, there are specific practices involving the use of Intact itself that restrict data quality. The review
undertaken has not dealt extensively with the direct use of Intact by associates but a number of
concerns have been raised concerning how cases are recorded and documented which further limit the
ability of other teams to interrogate the data and draw insightful conclusions. These include but are not
limited to:
Case information is often of low quality and difficult to understand.
The data inputted into the subject line of cases is inconsistent and does not give caseworkers
sufficient information to act accordingly.
Little or no record is kept of the risk type or the area of policy to which the case is referencing,
restricting the ability of case workers to understand the nature of the case.
Cases requiring no action are forwarded, including cases of consumers thanking the FCA for advice
or calling back to give updates on forwarded cases to the FOS.
Furthermore, there are several structural issues affecting Intact data quality. These include:
Multiple departments have access to Intact, and the quality of data and language entered into the
system can be inconsistent across departments. For example, the Contact Centre record entries at
35
STRICTLY CONFIDENTIAL BETWEEN PA CONSULTING SERVICES LIMITED AND THE FCA
40. firm level whereas supervision record risks and firms by legal entity. Therefore it is difficult to link
data within the same system.
Firms may have several legal entities and / or various permissions denominated by codes in Intact.
To correctly assign a case to the appropriate entity for review a case worker requires a level of
detailed understanding of Intact, the firm in question and the appropriate legal entity which to apply
a case not available to Contact Centre staff. For example, has more than 6 codes in Intact,
only one of which is the correct entity for the majority of cases. Without knowing this in advance,
cases may well be documented incorrectly.
Conclusion
Intact offers a rich source of potentially validated consumer and firm information, should this information
be gathered and recorded accurately and in a structure that allows sectors in quickly understand the
issues, make connections between cases and derive market risk insight from it. Currently, the
inconsistent use of Intact is preventing sectors from appropriately making use of this information. This
has the following consequences:
Information on consumer cases cannot be escalated and acted upon accurately
Risk events cannot be accurately identified from the information attached to consumer contact cases
in Intact
Risk events cannot be accurately attached to firms and therefore linked across firms and sectors
To address these concerns a combination of education, standard data entry practices but also structural
changes to Intact should be considered. Specifically, the following actions are recommended:
Implement a robust audit and quality control process where customers of the process (Event
Supervision, Consumer Credit and ITF triage and sector case teams) feed back to the Contact
Centre and better define the information captured when dealing with customers
Extensive, standard training to be undertaken covering staff in the Contact Centre, Event
Supervision, Sector case teams but also sector teams so as to build an understanding of the data
available, methods to interrogate it and the MI available.
Extension of mandatory fields in Intact to cover the data required by Events, Sector case teams and
sector triage functions
The lack of standardised intelligence across sectors has led to the sectors embarking on various
sector specific data exercises
As detailed above, sectors face challenges both in terms of the lack of available data and also
interrogating the data that is applicable to the identification and measurement of sector based risks.
There is limited resource within the central team to implement standard reporting and intelligence. The
central team have produced initial risk and performance reporting. However, the central team does not
have the extensive knowledge of the sector teams on the underlying trends in the data and therefore
are reliant on sector teams to provide sector specific insight.
Some generic reports exist, however these are not always fully utilised as the information is not
applicable to all sectors. For example the Contact Centre has created reports that are designed to be
used across departments, but as detailed above, this information is of limited value to sectors.
In response, sectors have assigned resource to developing their internal data capability, aligned to the
specific requirements of each market. These efforts vary across sectors, but individual initiatives
include:
Consumer Credit have set aside Pillar 3 resource to complete a detailed analysis into the sector.
The exercise aims to generate data and information on their firms due to a lack of information
36
STRICTLY CONFIDENTIAL BETWEEN PA CONSULTING SERVICES LIMITED AND THE FCA
41. available to them through regulatory returns. They have also assigned a specific resource to
improving access to data and data quality in the sector
GI&P have assigned specific resource to the analysis of Contact Centre, Whistleblowing and
Parliamentary affairs information
Mortgages and Mutuals are in the first iteration of producing regular sector analysis MI to identify
and review market trends split by intermediaries and lenders
Wholesale banking receives profit and loss information directly from their fixed and priority flexible
firms. This is used for quarterly peer analysis and a monthly scorecard dashboard to monitor
changes and performance across firms. In addition, the flexible team has manually populated the
key contact details and business lines of our target population (c200 legal entities) as part of their
Data Strategy
While these efforts are laudable and will yield some results, the development of sector specific data
requirements and / or improvements highlight several potential risks to cross-sector supervision:
Inefficient application of resource – each sector working in isolation does not have the scale,
capability or resource available to drive the changes required to improve data quality sufficiently.
The application of central standards to the analysis of common data sources across sectors is
beneficial and is constrained by individual sectors working in isolation. In particular, standardising
the following aspects would be of benefit:
o Risk event MI and reporting across sectors and risk types.
o Sector risk scores and scoring methodology – see section 5 for further details of risk
measurement methods.
o Collaborative forums between sectors and Event Supervision or other triage functions.
o Group Supervision – those firms spanning several sectors would benefit from standard
reporting of data applicable to them across sectors.
The lack of standardised data used and training in the use of Intact data in sectors has resulted in the
over-reliance on qualitative metrics to support decision making in many sectors, noting Mortgages and
Mutuals as an exception due to the granular data present.
This has manifested itself in a number of ways during risk management and sector planning processes:
Sectors will share intelligence via discussion and meetings without the use of regular reports.
Sectors have said that information from the Contact Centre or Event Supervision is shared during
forums, but standard reports are not used to inform these discussions. Therefore there is limited
quantitative evidence to support decisions.
Sectors rely on the knowledge and experience of particular people. This knowledge is easily lost
when experienced team members move on and does not permit the tracking back of decisions to
key data.
Conclusion
There is an appetite to improve data use in sector teams and a realisation that the use of data can and
should be improved. However, there is a lack of the required central resource to improve data use and
data quality present in sectors and there is not sufficient central oversight to drive the change required
across supervision.
This results in the overreliance on qualitative metrics and collaboration between knowledgeable experts
in decision making processes. The consequences include, but are not limited to the following:
Derivation of non-standard data improvements across sectors.
Inefficient, small scale changes are being derived rather than the supervision wide improvements
required.
To address these concerns, the following actions are recommended:
37
STRICTLY CONFIDENTIAL BETWEEN PA CONSULTING SERVICES LIMITED AND THE FCA
42. Review of data and variables needed for each sector to determine if standard reports can be
identified to automate intelligence making it easier for sector teams to utilise all available data.
Standardise the approach on sharing information across department to evidence decisions and risk
identification.
Review data analytics capability across sectors. Following this, a review of how the support
function(s) can fill the gaps – including MIDA, central supervision support etc..
38
STRICTLY CONFIDENTIAL BETWEEN PA CONSULTING SERVICES LIMITED AND THE FCA
43.
44. _______________________________________________________________________________
Background
There have been a number of changes to how supervision record and report risk. Intact has been rolled
out across supervision, and as it has been implemented, it has changed which risks are recorded where,
and the types of information that needs to be recorded. CRM (renamed the FCA Risk Register during
this review, although it will be referred to as CRM in this report) remains in place as the central risk
register for sector risks, as well as operational risks with Intact the risk register for firm specific risks.
The House Views have also been introduced, which aim to draw together information from across the
organisation to provide a consolidated view on sector risks.
Additionally, as part of the implementation of the flexible firm strategy in 2015, an exercise was
conducted to ensure each sector had a documented risk appetite. These short documents set out what
the supervision team should and should not look at or act upon. They effectively act to provide a view
of the priorities and tolerances of the sector teams. These risk appetites are used to inform the referral
criteria used by the Contact Centre to refer cases onto supervision, and by the Event Supervision team
to refer events to Sector Supervision. They also provide guidance to Sector supervisors on work that
should be prioritised when defining sector plans and activity.
Figure 12: The use of risk appetite statements across Supervision
This section looks at our findings in relation to how risk is identified, measured, monitored and reported,
taking into account:
Risk appetites, including how they are defined, and how they are applied to operational processes;
How risk is measured and recorded, depending on the type of risk and the team; and
How the risk information informs planning, risk prioritisation and escalation, as well as the how the
information supports identification of emerging risks.
The risk appetite statements lack a central view of risk appetite and are not sufficiently well
defined to aid consistent decision making
Risk appetites have been developed for each sector and consist of qualitative high level guidance
setting out the following information:
where supervisors will and won’t look,
where supervisors will and won’t act, and
how supervisors will act.
The one page statements also include limited quantitative measures. The statements set out the risk
appetite for both fixed and flexible firms covering firm-specific, reactive and multi-firm activity. The
40
STRICTLY CONFIDENTIAL BETWEEN PA CONSULTING SERVICES LIMITED AND THE FCA
45. current statements were produced by each sector and signed off in 2015, when the flexible firm strategy
was implemented. We have noted the following issues:
There is a lack of clear guidance on key priorities and areas of risk. The risk appetite statements
have been documented individually by each sector based on their view of their sector risks, and as
mentioned in section 2 of this report, has led to useful, sector specific customisation. However, they
lack direction and linkage to a centralised, high level risk appetite that provides clear guidance on
the key priorities and risk areas. This has contributed to the inclusion of high level statements in the
risk appetite which should be updated to link back to a central view of priority risks for the FCA.
The quantitative measures and triggers included in the risk appetite statements do not
support the application of the risk appetite in practice. Quantitative sizing measures and
indicative triggers have been included in most of the sector risk appetite statements. Some of the
sectors have included sector specific measures, such as Infrastructure and Trading Firms. An over-
arching measure has been applied to sectors with retail activity. This includes Retail Banking, Retail
Lending, General Insurance and Protection, Retail Investments, Pensions and Retail Income and
Investment Management. The standardised quantitative measure is an amount of customer
detriment greater than £5M and impacting more than 2000 consumers. In practice, this measure has
proven to be ineffective, as it is often irrelevant to the event and is overridden by local interpretation
of the high level qualitative criteria in the risk appetite statements. Sectors with a high number of
smaller organisations or low impact customer transactions, such as consumer credit, would rarely,
meet this criteria. This leads to Consumer Credit risks only being addressed based on the qualitative
criteria in the risk appetite.
There is additional confusion on how to apply the quantitative measures included in risk
appetite statements. The guidance provided to support the risk appetite statements does not make
the distinction between the treatments of individual or aggregated events. For retail activity, it is
unclear whether the consumer detriment threshold should be measured for a single event – e.g. a
single event exceeding £5M as opposed to the aggregate of a number of smaller events which, when
considered together, exceed £5M. In addition, where the individual events are not meeting the £5M
threshold, they are currently being closed without further action. As a consequence aggregated
areas of risk may not be identified.
Conclusion
The objective of the risk appetite statements that have been developed for each sector was to prioritise
the activities of the sectors on the high risk areas. The current statements do not clearly link to a central
view of risks and lack clearly defined priorities. This has resulted in risk appetite statements that look
and feel generic and at times do not reflect the sector.
The application of the risk appetite is hindered by the lack of sector specific quantitative triggers that
directly reflect the key risks and priorities of each sector. The quantitative measures that have been
developed are often not useful for specific sectors. This results in the need to apply judgement based
on the interpretation of the high level qualitative measures. Judgement heavy approaches often lead to
a larger number of risks being actioned as risk de-prioritisation becomes more subjective.
The risk appetite statements should be reviewed and updated to include:
A clear link between the risk statements of each sector to the overall direction of the FCA
The introduction of sector-specific quantitative measures which map to a central view of risks and
priorities for the sector
Detailed guidance on how the risk appetite statement should be employed to support operational
activities including addressing aggregated events and risk de-prioritisation.
This will ensure the FCA priorities are reflected, while preserving the autonomy of the sectors.
41
STRICTLY CONFIDENTIAL BETWEEN PA CONSULTING SERVICES LIMITED AND THE FCA
46. Operational activities have been complicated by the lack of a clearly defined risk appetite
Attempting to embed the risk appetites into operational processes and activities has led to further
confusion and inefficiencies. The translation of the risk appetite statements from the sectors into a set
of decision criteria to support operational processes in the Contact Centre and Event Supervision has
created further confusion.
The Sector risk appetites have been used in some sectors to produce the referral criteria used by the
Contact Centre. The Contact Centre use these referral criteria to review a case and determine which
action should be taken and by whom, i.e. where it should be referred. The referral criteria are complex
and vary between sectors. Contact Centre associates do not have supervisory expertise and the
complexity of the referral criteria often leads to events being passed to on to supervision inappropriately.
In addition, the supporting information recorded is frequently inadequate for supervision to understand
the underlying issue. For example, up to 30% of the cases that are referred to the Consumer Credit
team have been referred with no breach or in error. All referred events are further reviewed by a member
of the Consumer Credit triage team which creates an unnecessary burden.
The risk appetites should also provide clear guidance as to where supervisors can and should
deprioritise work when it does not meet the risk appetite thresholds. As a result work is not being
deprioritised and this directly impacts resource capacity. When risks arise, supervisors should refer to
the risk appetite statement to drive any subsequent activity. However, due to the ambiguity and lack of
detail in the statement, supervisors struggle to deprioritise work. In addition, there is a general feeling
that the “risk sits with me” within supervision. This contributes to risks not being de-prioritised.
In addition, there are circumstances where an event is referred to Sector Supervision from Event
Supervision based on the decision criteria set out by the risk appetite statement. The Sector
supervisors, however, don’t have resource capacity and close the event without action – meaning that
in these cases, events which should be addressed, according to the risk appetite, are not being
actioned.
The Events team have recently undertaken work with the Sector supervisors to improve the decision
criteria based on risk appetites, and this has reportedly resolved some inefficiencies relating to the
uncertainty of how the Events team should action events. However, the team still have to type in free
text into Intact to support how they have applied the risk appetite.
Conclusion
The lack of a clearly defined and well understood risk appetite statement is affecting operational
decision making. Specifically, the referral processes that have been driven by the risk appetite
statements have resulted in complex instructions for the Contact Centre. Complex referral criteria
increase the likelihood of calls being recorded incompletely and subsequent inappropriate referral to
sector teams.
Additionally, the risk appetites lack sufficient detail to allow supervisors to make decisions about
prioritisation. Supervisors feel that they own and should be accountable for risk. Due to the lack of clear
guidance in the risk appetite statements risks, supervisors do not feel empowered to proactively de-
prioritise actions and/or supervisory risks.
These issues have a direct impact on resource. In some circumstances resource is targeted at
performing tasks due to a lack of confidence in the activities performed by other teams and in others
resource is focused on risk areas that can and should be de-prioritised.
Risk appetites should be reviewed to ensure they are effective in supporting operational processes such
as the Contact Centre referrals. The review should focus on simplifying the Contact Centre referral
criteria and considering how Intact can support the Events decision and referral processes.
42
STRICTLY CONFIDENTIAL BETWEEN PA CONSULTING SERVICES LIMITED AND THE FCA
47. Sectors should consider how to develop a level of detail to support their supervisors in deciding what
to action and having confidence to deprioritise work.
Risks are inconsistently measured and recorded. This is further compounded by the use of
multiple recording systems for risk
Across supervision, risks are recorded using the FCA risk framework scoring model. Risks are scored
on their probability and impact to create an overall score on a nine point scoring system. Different risks
are recorded in different systems, using this framework:
Sector (known) risks are recorded in CRM by sector teams, using ten-point scoring.
Firm-specific risks – known risks for the fixed firms – are recorded in Intact (in the firm-specific
section), using ten-point scoring.
Risk events (Pillar 2) for fixed firms are recorded in Intact (in the firm-specific section), using ten-
point scoring.
Risk events for flexible firms are recorded in Intact (in the flexible firm event section), using four-
point scoring
While this framework is used across supervision, the risk identification and scoring process is subjective
and as a result, there is no consistency in the risks identified and recorded across supervision. The
recorded risks will be scored and prioritised in different, subjective ways and therefore will not be
comparable. This lack of comparability and consistency in how risks are recorded and measured is
evident for Pillar 2 events and emerging risks, as well as known sector risks.
To complicate things further, Event Supervision apply the risk framework differently. They only score
probability on a four point scale, in a ‘cut-down’ version of the wider risk framework. This approach is
only used for flexible firms, for sectors serviced by the Event Supervision team.
This problem in variation in measuring and reporting risks is compounded by the different systems used
for recording risk information. CRM is used to capture sector risks. Intact captures firm-specific risks for
the fixed firm population and risk events for both fixed and flexible firms.
Figure 13: systems for recording risks for Pillar 1, Pillar 2 and sector risks for fixed and flexible firms
Within Intact risk events are recorded separately for fixed and flexible firms, which restricts reporting on
crystallised risk events and complicates the risk event history for firms who move between fixed and
flexible. For example, a flexible firm may have a number of risk events in Intact, but if that firm moves
into the fixed portfolio, the risk events recorded before that move will not be evident or easily available.
There are further issues with the way risks are measured and recorded across the organisation:
In Intact, it is difficult to clearly record comparable risk information for Pillar 2 events.
Information is recorded in free text fields and therefore lacks the detail that would enable reporting
and trend analysis on the event information. Risk tags have been introduced in an attempt to improve
risk reporting, but there still remain some issues, as discussed previously in section 4.
The FCA priority risks are not considered in consistent fashion across sectors. There is no
consistency or a centralised view of priority risks reflected in the sector risk reporting in CRM.
43
STRICTLY CONFIDENTIAL BETWEEN PA CONSULTING SERVICES LIMITED AND THE FCA